CVE-2014-3936 : Stack-based buffer overflow in the do_hnap function in www/my_cgi.cgi in D-Link DSP-W215 (Rev. A1) with firmware 1.01b06

Stack-based buffer overflow in the do_hnap function in www/my_cgi.cgi in D-Link DSP-W215 (Rev. A1) with firmware 1.01b06 and earlier, DIR-505 with firmware before 1.08b10, and DIR-505L with firmware 1.01 and earlier allows remote attackers to execute arbitrary code via a long Content-Length header in a GetDeviceSettings action in an HNAP request.

Published 2014-06-02 14:55:04

Updated 2023-04-26 19:27:52

Source MITRE

View at NVD, CVE.org

Vulnerability category: OverflowExecute code

Exploit prediction scoring system (EPSS) score for CVE-2014-3936

Probability of exploitation activity in the next 30 days: 96.35%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2014-3936

D-Link HNAP Request Remote Buffer Overflow

Disclosure Date: 2014-05-15

First seen: 2020-04-26

exploit/linux/http/dlink_hnap_bof

This module exploits an anonymous remote code execution vulnerability on different D-Link devices. The vulnerability is due to a stack based buffer overflow while handling malicious HTTP POST requests addressed to the HNAP handler. This module has been successfully t

More information

CVSS scores for CVE-2014-3936

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2014-3936

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-3936

http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10027

D-Link Technical Support
Vendor Advisory
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10029

D-Link Technical Support
Vendor Advisory
http://www.devttys0.com/2014/05/hacking-the-d-link-dsp-w215-smart-plug

Hacking the D-Link DSP-W215 Smart Plug – /dev/ttyS0
Exploit
http://packetstormsecurity.com/files/127427/D-Link-HNAP-Request-Remote-Buffer-Overflow.html

D-Link HNAP Request Remote Buffer Overflow ≈ Packet Storm
Exploit
http://www.securityfocus.com/bid/67651

DIR-505 and DIR-505L Stack Buffer Overflow Vulnerability
Exploit

Products affected by CVE-2014-3936

Dlink » Dsp-w215 Firmware » Update B06
Versions up to, including, (<=) 1.01
cpe:2.3:o:dlink:dsp-w215_firmware:*:b06:*:*:*:*:*:*
Matching versions
Dlink » Dsp-w215 » Version: A1
cpe:2.3:h:dlink:dsp-w215:a1:*:*:*:*:*:*:*
Matching versions
Dlink » Dir505 Shareport Mobile Companion Firmware
Versions up to, including, (<=) 1.07
cpe:2.3:o:dlink:dir505_shareport_mobile_companion_firmware:*:*:*:*:*:*:*:*
Matching versions
Dlink » Dir505 Shareport Mobile Companion » Version: A1
cpe:2.3:h:dlink:dir505_shareport_mobile_companion:a1:*:*:*:*:*:*:*
Matching versions
Dlink » Dir505l Shareport Mobile Companion Firmware
Versions up to, including, (<=) 1.01
cpe:2.3:o:dlink:dir505l_shareport_mobile_companion_firmware:*:*:*:*:*:*:*:*
Matching versions
Dlink » Dir-505l Shareport Mobile Companion » Version: A1
cpe:2.3:h:dlink:dir-505l_shareport_mobile_companion:a1:*:*:*:*:*:*:*
Matching versions